Commit a5c077e4 authored by Brian Wellington's avatar Brian Wellington
Browse files

1181. [func] Add the "key-directory" configuration statement,

                        which allows the server to look for online signing
			keys in alternate directories.
parent 2ca55630
1181. [func] Add the "key-directory" configuration statement,
which allows the server to look for online signing
keys in alternate directories.
1180. [func] dnssec-keygen should always generate keys with
protocol 3 (DNSSEC), since it's less confusing
that way.
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.92 2001/12/11 23:53:13 marka Exp $ */
/* $Id: update.c,v 1.93 2002/01/21 11:00:11 bwelling Exp $ */
#include <config.h>
......@@ -1500,14 +1500,16 @@ add_placeholder_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
}
static isc_result_t
find_zone_keys(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys)
find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
isc_mem_t *mctx, unsigned int maxkeys,
dst_key_t **keys, unsigned int *nkeys)
{
isc_result_t result;
dns_dbnode_t *node = NULL;
const char *directory = dns_zone_getkeydirectory(zone);
CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
CHECK(dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db),
mctx, maxkeys, keys, nkeys));
CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
directory, mctx, maxkeys, keys, nkeys));
failure:
if (node != NULL)
dns_db_detachnode(db, &node);
......@@ -1574,9 +1576,9 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
* The SIGs generated will be valid for 'sigvalidityinterval' seconds.
*/
static isc_result_t
update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
dns_dbversion_t *newver, dns_diff_t *diff,
isc_uint32_t sigvalidityinterval)
update_signatures(isc_mem_t *mctx, dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *oldver, dns_dbversion_t *newver,
dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
{
isc_result_t result;
dns_difftuple_t *t;
......@@ -1598,7 +1600,7 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
dns_diff_init(mctx, &nxt_diff);
dns_diff_init(mctx, &nxt_mindiff);
result = find_zone_keys(db, newver, mctx,
result = find_zone_keys(zone, db, newver, mctx,
MAXZONEKEYS, zone_keys, &nkeys);
if (result != ISC_R_SUCCESS) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE,
......@@ -2460,7 +2462,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
if (dns_db_issecure(db)) {
result = update_signatures(mctx, db, oldver, ver,
result = update_signatures(mctx, zone, db, oldver, ver,
&diff, dns_zone_getsigvalidityinterval(zone));
if (result != ISC_R_SUCCESS) {
update_log(client, zone,
......
......@@ -15,11 +15,12 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.98 2002/01/14 04:16:01 marka Exp $ */
/* $Id: zoneconf.c,v 1.99 2002/01/21 11:00:12 bwelling Exp $ */
#include <config.h>
#include <isc/buffer.h>
#include <isc/file.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h> /* Required for HP/UX (and others?) */
......@@ -535,6 +536,20 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
INSIST(result == ISC_R_SUCCESS);
dns_zone_setsigvalidityinterval(zone,
cfg_obj_asuint32(obj) * 86400);
obj = NULL;
result = ns_config_get(maps, "key-directory", &obj);
if (result == ISC_R_SUCCESS) {
filename = cfg_obj_asstring(obj);
if (!isc_file_isabsolute(filename)) {
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
"key-directory '%s' "
"is not absolute", filename);
return (ISC_R_FAILURE);
}
RETERR(dns_zone_setkeydirectory(zone, filename));
}
} else if (ztype == dns_zone_slave) {
RETERR(configure_zone_acl(zconfig, vconfig, config,
"allow-update-forwarding", ac, zone,
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.14 2002/01/14 04:15:58 marka Exp $ */
/* $Id: check.c,v 1.15 2002/01/21 11:00:14 bwelling Exp $ */
#include <config.h>
......@@ -184,6 +184,7 @@ check_zoneconf(cfg_obj_t *zconfig, isc_symtab_t *symtab,
{ "pubkey", MASTERZONE | SLAVEZONE | STUBZONE },
{ "update-policy", MASTERZONE },
{ "database", MASTERZONE | SLAVEZONE | STUBZONE },
{ "key-directory", MASTERZONE },
};
static optionstable dialups[] = {
......
......@@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.70 2001/11/30 01:59:07 gson Exp $
* $Id: dnssec.c,v 1.71 2002/01/21 11:00:17 bwelling Exp $
*/
......@@ -481,8 +481,9 @@ cleanup_struct:
== DNS_KEYOWNER_ZONE)
isc_result_t
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name,
const char *directory, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys)
{
......@@ -508,7 +509,7 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
dst_key_id(pubkey),
dst_key_alg(pubkey),
DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
NULL,
directory,
mctx, &keys[count]);
if (result == DST_R_INVALIDPRIVATEKEY)
goto next;
......@@ -540,6 +541,16 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
return (result);
}
isc_result_t
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys)
{
return (dns_dnssec_findzonekeys2(db, ver, node, name, NULL, mctx,
maxkeys, keys, nkeys));
}
isc_result_t
dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
dns_rdata_sig_t sig;
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec.h,v 1.22 2001/10/10 21:39:15 gson Exp $ */
/* $Id: dnssec.h,v 1.23 2002/01/21 11:00:22 bwelling Exp $ */
#ifndef DNS_DNSSEC_H
#define DNS_DNSSEC_H 1
......@@ -113,6 +113,12 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
dns_name_t *name, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys);
isc_result_t
dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name,
const char *directory, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys);
/*
* Finds a set of zone keys.
* XXX temporary - this should be handled in dns_zone_t.
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.h,v 1.108 2001/11/09 04:21:57 marka Exp $ */
/* $Id: zone.h,v 1.109 2002/01/21 11:00:23 bwelling Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
......@@ -1098,6 +1098,34 @@ dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
* (result ISC_R_NOMORE).
*/
isc_result_t
dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory);
/*
* Sets the name of the directory where private keys used for
* online signing of dynamic zones are found.
*
* Require:
* 'zone' to be a valid zone.
*
* Returns:
* ISC_R_NOMEMORY
* ISC_R_SUCCESS
*/
const char *
dns_zone_getkeydirectory(dns_zone_t *zone);
/*
* Gets the name of the directory where private keys used for
* online signing of dynamic zones are found.
*
* Requires:
* 'zone' to be valid initialised zone.
*
* Returns:
* Pointer to null-terminated file name, or NULL.
*/
isc_result_t
dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.358 2002/01/15 06:42:15 marka Exp $ */
/* $Id: zone.c,v 1.359 2002/01/21 11:00:20 bwelling Exp $ */
#include <config.h>
......@@ -157,6 +157,7 @@ struct dns_zone {
isc_uint32_t retry;
isc_uint32_t expire;
isc_uint32_t minimum;
char *keydirectory;
isc_uint32_t maxrefresh;
isc_uint32_t minrefresh;
......@@ -501,6 +502,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
zone->irefs = 0;
dns_name_init(&zone->origin, NULL);
zone->masterfile = NULL;
zone->keydirectory = NULL;
zone->journalsize = -1;
zone->journal = NULL;
zone->rdclass = dns_rdataclass_none;
......@@ -609,6 +611,9 @@ zone_free(dns_zone_t *zone) {
if (zone->masterfile != NULL)
isc_mem_free(zone->mctx, zone->masterfile);
zone->masterfile = NULL;
if (zone->keydirectory != NULL)
isc_mem_free(zone->mctx, zone->keydirectory);
zone->keydirectory = NULL;
zone->journalsize = -1;
if (zone->journal != NULL)
isc_mem_free(zone->mctx, zone->journal);
......@@ -6187,6 +6192,25 @@ dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
UNLOCK_ZONE(zone);
}
isc_result_t
dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
isc_result_t result = ISC_R_SUCCESS;
REQUIRE(DNS_ZONE_VALID(zone));
LOCK_ZONE(zone);
result = dns_zone_setstring(zone, &zone->keydirectory, directory);
UNLOCK_ZONE(zone);
return (result);
}
const char *
dns_zone_getkeydirectory(dns_zone_t *zone) {
REQUIRE(DNS_ZONE_VALID(zone));
return (zone->keydirectory);
}
unsigned int
dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
dns_zone_t *zone;
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.1 2002/01/04 02:32:12 gson Exp $ */
/* $Id: namedconf.c,v 1.2 2002/01/21 11:00:25 bwelling Exp $ */
#include <config.h>
......@@ -597,6 +597,7 @@ zone_clauses[] = {
{ "min-refresh-time", &cfg_type_uint32, 0 },
{ "sig-validity-interval", &cfg_type_uint32, 0 },
{ "zone-statistics", &cfg_type_boolean, 0 },
{ "key-directory", &cfg_type_qstring, 0 },
{ NULL, NULL, 0 }
};
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment